Ephemeral port range (patch)
Fernando Gont
fernando at gont.com.ar
Mon Mar 3 04:45:09 UTC 2008
At 09:49 p.m. 02/03/2008, you wrote:
>+1 on increasing the threshold, 1024 is way too low.
With the current patch, I agree. I'm planning to implement the scheme
described in the port randomization internt-draft I referenced, and
implement the array-of-bits thing. That way you can exclude whichever
ports you want, without "wasting" the 1024-9999 port range.
>Also consider the folk who depend on the existing behaviour: a
>predictable ephemeral port range is useful, if for some reason you
>need to apply a NAT policy to that traffic, with no other
>knowledge about how the applications you must NAT actually behave.
You can still set porthi or portlow to select whichever port range
you want. The patch just changes the default case.
As noted in one of the sections of the draft I referenced, turns put
that each TCP/IP stack chooses its own range for the ephemeral ports.
So unless you're tweaking the configuration of each of the systems
you have behind the NAT, I'm afraid you won't be able to implement
such a policy. FWIW, Windows used the range 1024-4999 or something...
at least W95 and XP. Vista probably still does the same thing.
Kind regards,
--
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
More information about the freebsd-net
mailing list